It's a very broad topic. In addition, it is very difficult to give detailed recommendations at a general level in isolation from a specific organization.

1/ - You should protect data and the environment in which they are stored and processed against unauthorized access. It is difficult to give detailed instructions on how to do this, because security should not paralyze the functioning of the organization. For me, the most sensitive data is on devices without physical access to the network. You can't use this solution everywhere.

2/ - If data must be accessed over the network, use multi-factor authentication using physical devices.

3/ - Verify access rights and grant such scope of permissions as is necessary for effective functioning, but not more. In some cases, it is worth for one person to use several accounts with different permissions, so that he does not have to log in with full permissions to tasks that do not require it,

4/ - Pay attention to who has physical access to devices that store sensitive data. Making a copy of the medium does not require logging into the system, if you can connect the medium to another device. It is also possible to boot the computer from a foreign media containing a foreign operating system.

5/ - Use encryption. Avoid compromised encryption systems. Pay attention to how your encryption keys are stored. Follow the rules for creating strong passwords. An encryption system is only as strong as its weakest element. With the help of Brute Force, the encryption keys are not attacked, but the passwords allowing to decrypt the medium.

6/ - perform backups according to the 3-2-1 rule. Verify the correctness of backups. Regularly perform a full backup - do not allow yourself to have only a full backup of the initial state and an infinite number of snapshots. Separate the backup from the production environment so that attacks on the production environment do not escalate to the backup.

7/ - monitor network traffic. Pay particular attention to unusual outgoing traffic.

8/ - Pay attention to the technical condition of data carriers. Do not use damaged or heavily exploited devices. Take care of correct and stable power supply. Remember that SSDs often fail suddenly and without warning signs. Recovering data from an SSD is also usually more complicated than from an HDD.

9/ - correctly and accurately remove data from media and devices withdrawn from service or transferred to other users within the organization.

10/ - take care of physical safety, protection against burglary, unauthorized and uncontrolled access to rooms, fires, flooding and similar threats.

Remove the sensitivity out of the sensitive data as far as possible. I mean to say - partition the data in such a way that the sensitive elements are anonymized

Brajesh Mishra Data sensitivity assessment is highly subjective. Not always sensitive data is personal data and not all personal data is really sensitive, although legal regulations require us to treat it as such. But sensitive data can also be technical, financial, business data, recorded by sensors. Very often the context determines the sensitivity of data. When I recover data from a damaged drive, I always treat it as sensitive, although it is often readily available to the public. I just don't verify it. But a lot of data taken out of context loses its meaning. Imagine a project so secret that small teams of engineers work on small tasks without knowing what purpose those tasks serve. There is a huge risk that you will not be able to put together a coherent whole from what they create.

Yes, I agree that controlling and restricting access to data will improve their security, but in such situations there is always a difficult compromise between data security and the effectiveness of processes implemented by organizations.

Identify and Evaluate what sensitive data you are holding. What cybersecurity threats and challenges you are experiencing in your daily routine. What strategies would you like to implement. Have time to visit my Program Logic Model maybe you can get something useful. Thank you. https://ijere.iaescore.com/index.php/IJERE/article/view/22863/13382

Good question Isaac Obiri This question has already been asked and answered comprehensively following US best practices as explained in the attached linked report from the US Institute of Internal Auditors. You will find the link to the free article in the 'Description' box.

Technical Report Cyber risk management: Avoiding cyber hell

Paweł Kaczmarzyk Sensitivity is not subjective at all. There are clear rules, depending on the application, such as PCI for card payments, HIPAA for medical data, and GDPR for EU data.

Wim Ton Yes, there are regulations that make us treat certain data as sensitive, but they only slightly limit subjective assessments of data sensitivity. For example, there are people who make money as porn actors, but there are also those who commit suicide in response to the leak of their intimate photos. This may be an extreme example, but it reflects the difference in the subjective assessment by different people of something that for me is just a file. What about data not listed in legal regulations? Can we assume that they are not sensitive or that they are only subject to weaker legal protection? And can the data lose/gain sensitivity when crossing the borders of countries with different regulations? The more so that in the case of data storage in the cloud, it is often the case that the user operates in one legal regime, and the cloud operator in another. And were exactly the same data before the introduction of the relevant regulations not sensitive data, but became so as a result of the change in the law? The law sometimes seems to create reality, but in reality it only tries to regulate it. Legally defining what data is sensitive is an attempt to average reality, but the issue of data sensitivity for its owners is still very subjective. Therefore, when responsible for someone else's data, it is better to treat it as sensitive en masse.

Paweł Kaczmarzyk So, it may be better to define the required protection based on the consequences of a successful attack. I once somewhat jokingly proposed an alternative for the classical "confidential, secret, top-secret" classification: "amusement, scandal, life-or-death". Amusement: you do not want it in the press. Scandal: people may lose their job. "Life-or-death" obvious, also nicely described in your reply. So, GDPR data may land in the "scandal" category, as the company may face a hefty fine and lose business (and some empoyees may lose their job if it was gross negligence).

AFAIK only the GDPR uses fines that can actually hurt.

Many countries and even companies have rules about cross border data transfer, generally that the protection in the receiving country must be at least as high than in the sending country. See the "safe haven" treaty and Schrems 2.

On a different topic. Everybody seems still be focussed on confidentiality, but the criminal model is moving to availability. OK, you just copy the data if you are inside anyway, but the money is to be made by ransom. And even if nothing is paid, it is a major disruption of operations. Except for login credentials and credit card info, the copied information has little black market value ( a micro$ or less per record).

Wim Ton I really like your distinction of the consequences of a data leak. It agrees with my perception. But still, subjective factors and individual assessment of whether a given situation is only funny, embarrassing, causing real damage or destroying life play a very important role in this regard. Acting within the organization, we try to regulate these issues with internal procedures, which are usually more restrictive than applicable law. We also create these procedures to make it easier for employees to make decisions in accordance with the interests of the entire organization. People with different sensitivities and different understandings of the meaning of the data they have access to could make different, inconsistent and even contradictory decisions. When GDPR was introduced, I asked my lawyer what I should change. He told me that nothing, because my internal rules are still more restrictive than the regulations, only that now officials can demand from me documents proving that this is the case. Yes - cybercriminals often operate in a model similar to thieves grabbing the door handles of cars parked in a large parking lot. If the parking lot is large enough, you will always find an open car there from which you can take random loot. With little effort and a large number of small benefits, the effects can economically justify the actions taken. And the fact is that single pieces of information on the black market have little financial value, but also sometimes behind such a single piece of information there may be a single drama of a single person. And this situation can also be highly subjective.